<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Esc1 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/esc1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/esc1/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Certificate Issuance and Authentication via AD CS ESC1</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-esc1-certificate-abuse/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-esc1-certificate-abuse/</guid><description>This analytic detects suspicious certificate issuance with a Subject Alternative Name (SAN) via Active Directory Certificate Services (AD CS) followed by immediate authentication, using Windows Security Event Logs (EventCode 4887 and 4768), which, if successful, can lead to privilege escalation and environment compromise.</description><content:encoded><![CDATA[<p>This detection identifies potential abuse of Active Directory Certificate Services (AD CS) through the ESC1 attack vector. This involves the issuance of a suspicious certificate containing a Subject Alternative Name (SAN) followed by its immediate use for authentication. The activity is detected by correlating Windows Security Event Logs, specifically Event ID 4887 (certificate issuance) and Event ID 4768 (Kerberos authentication). This technique exploits improperly configured certificate templates within AD CS, which can lead to unauthorized privilege escalation and full compromise of the Windows environment. The activity is significant as a successful attacker can gain domain administrator privileges using tools like Certipy, potentially leading to lateral movement, data exfiltration, or deployment of ransomware. The detection leverages the Splunk ES datamodel and is based on work published by SpecterOps and others.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker compromises a user account or gains access to a system with permissions to request certificates.</li>
<li>The attacker identifies vulnerable certificate templates that allow for Subject Alternative Name (SAN) spoofing, specifically user principal name (UPN).</li>
<li>The attacker crafts a certificate request, forging the SAN to impersonate a high-privilege user (e.g., Domain Admin).</li>
<li>The attacker submits the malicious certificate request to the AD CS server, triggering Event ID 4887, which indicates a certificate with a SAN was issued.</li>
<li>The AD CS server, if misconfigured, issues the certificate based on the tampered request.</li>
<li>The attacker uses the issued certificate to request a Kerberos Ticket Granting Ticket (TGT) for the impersonated user, generating Windows Event ID 4768 with the certificate thumbprint.</li>
<li>The attacker successfully authenticates as the high-privilege user.</li>
<li>The attacker uses the elevated privileges to perform malicious activities, such as lateral movement, data exfiltration, or domain compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to complete domain compromise. By exploiting misconfigured certificate templates, attackers can escalate privileges to domain administrator, gaining full control over the Active Directory environment. This allows them to move laterally within the network, access sensitive data, deploy ransomware, or disrupt critical services. The impact can be widespread, affecting all systems and users within the compromised domain, causing significant financial and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable enhanced audit logging on AD CS and within Group Policy Management for CS server as outlined in the Certified Pre-Owned whitepaper (reference URL).</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious Certificate Issuance with SAN&quot; to detect Event ID 4887 with attributes indicative of ESC1 exploitation.</li>
<li>Deploy the Sigma rule &quot;Detect Kerberos Authentication with Newly Issued Certificate&quot; to detect Event ID 4768 that correlates with recent certificate issuance activity.</li>
<li>Review and remediate any certificate templates that allow for arbitrary SAN values to prevent ESC1 exploitation as described in the SpecterOps whitepaper.</li>
<li>Throttle correlation by RequestId/ssl_serial to reduce false positives and improve detection fidelity, as mentioned in the &quot;how_to_implement&quot; section.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>esc1</category><category>certificate_abuse</category><category>privilege_escalation</category><category>windows</category></item></channel></rss>